Behaviors First, Then Culture

May 7, 2015

Security Awareness Program Planning

Changing Behavior

I'm beginning to notice a trend within the world of security awareness, different groups of people talking about changing behaviors vs. changing culture. Some people talk as if they are separate projects or even separate goals. While they are different, they are very much related. Behaviors are the actions or manners of individuals within an environment. To learn more about behavior and changing behaviors I highly recommend the BJ Fogg Behavior Model.

Culture is a bit more squishy, it is the attitudes, beliefs and behavioral norms of a group. So which one is more important, what should you be focusing on? Well ultimately both, but you want to start with behaviors first. In fact, you will notice that in the Security Awareness Maturity Model we have behaviors listed first. Why is that, why don't we just focus on culture? There are a several reasons for this.

Ultimately, it is behavior that secures an organization, not culture. If you have a strong security culture people will believe in the need of security and the importance their role plays, but do they still know what behaviors they need to exhibit? They may think they should be locking the door to their car, when in reality it is the fact their mobile device has no passcode that is a far larger issue. Ultimately behaviors secure the organization, not culture. It is just much easier to create and maintain secure behaviors in a strong secure culture.

You can change behavior in days, but it takes years to change culture. John Kotter explains it in his book "Leading Change" that for people to believe in change, they have to see their behaviors have a positive impact. When people see how phishing training helps them detect attacks, when they see how a passcode protects their lost phone, they start believing in security. As a result, their attitudes and beliefs change. Ultimately, to change culture you need to first start changing behaviors.

For a truly mature awareness program, you want to not only ensure you are changing behaviors but changing culture (and have a metrics framework to measure it). These goals are highly related, but to get there you have to start with behaviors first.

About the Author

Lance Spitzner

Director, SANS Security Awareness

Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and helped pioneer the field of cyber intelligence. Lance has published three security books, consulted in over 25 countries and helped hundreds of organizations establish mature security awareness programs. Lance serves on the Board for the NCSA, is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. He served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.